Ubiquiti UniFi Identity Endpoint - Google SSO Integration
Article

Ubiquiti UniFi Identity Endpoint - Google SSO Integration

Ubiquiti UniFi Identity Endpoint - Google SSO Integration

In this guide, we’ll take you step-by-step through setting up the UniFi Identity Endpoint on the UniFi Dream Machine Pro (UDM-Pro) and integrating it with Google Workspace. This setup streamlines user onboarding and management, making it a breeze to control user access to your UniFi infrastructure - network (VPN & Wi-Fi), door access, cameras, phones, charging stations, and more.

Note: This guide is based on official Ubiquiti documentation and Google Workspace help articles. For the latest details or firmware-specific updates, check out the official sources from Ubiquiti Help Center and Google Workspace Support.

The UniFi Identity Endpoint is a free, revolutionary feature in the Ubiquiti ecosystem that transforms user provisioning into a seamless, one-click process. Users can instantly access a secure hub of essential services, making it a true game-changer for both admins and end-users. Pretty neat, right?

UniFi Identity Application

Available on macOS, Windows, Linux, iOS, and Android, UniFi Identity delivers a smooth, unified experience across all platforms. It’s a lifesaver for employees onboarding and ongoing management, especially for organizations with 50+ employees, cutting IT overhead and speeding up adoption.

Integrating Google Workspace with UniFi Identity

If your organization already relies on identity solutions like Google Workspace, Microsoft Entra AD, or local Active Directory, you’re in luck. This guide zeros in on syncing your Google Organization Directory with UniFi Access for a seamless experience.

Once integrated, your users will get automated onboarding emails with instructions to download the UniFi Identity app on their devices. They’ll log in with their Google Workspace credentials and instantly unlock access to doors controlled by UniFi Access—no extra hassle required.

UniFi Identity Endpoint setup overview

Step-by-Step Integration Guide

Let’s dive into the setup using the UniFi web interface:

  1. Log into your UniFi Access web interface.
  2. Head to Settings (gear icon).
  3. Click Admins & Users.
  4. Select the Identity Endpoint tab and agree to the terms to activate this feature.
UniFi Identity Endpoint setup overview

Creating the Google LDAP Client

  1. Log into your Google Admin console and go to the Apps section.
  2. Select LDAP. If you don’t see it, double-check that your Google Workspace plan includes LDAP support. Plans with LDAP enabled
    3. Enable Identity Endpoint in UniFi Access
  3. Click Add LDAP Client and set it up to fit your organization (e.g., pulling all users from yestechie.com).
    4. Google LDAP client setup
  4. Download the certificate—you’ll need it for UniFi.
    5. Generate and Download LDAP Client Certificate
  5. Click to proceed and review the LDAP client details.

Don’t forget to generate access credentials too. Save the LDAP client’s username and password from the Google Admin interface for the next step.

Add LDAP Client in Google Admin Console

Connecting Google LDAP to UniFi Identity Endpoint

Back in the UniFi web interface, under Identity Endpoint, pick your desired services (like door access or camera sharing), then click Directory Integration.

Setup Google LDAP for UniFi Identity Endpoint
  1. Enter your Root DN dc=yestechie,dc=com for the yestechie.com domain. Make sure Root DN is in correct format with no spaces.
    2. LDAP Root DN
  2. Input the LDAP access credentials - username and password you generated in the Google Admin Console and upload the certificate you downloaded earlier.
  3. Hit ADD to kick off the synchronization.

Optional: Automate Permissions with Group Mapping

Want to simplify permission management? Group mapping is the way to go! By connecting UniFi Access groups to your existing Google Workspace groups, you can automate access permissions and keep everything running smoothly. It’s a clever way to stay organized and efficient. Let’s walk through the setup together.

Before we jump into mapping, we’ll need to lay the groundwork by creating access policies and user groups in UniFi Access. This ensures everything’s ready when we tie it all together with Google Workspace.

Step 1: Create Access Policies

First, let’s define who gets access to what and when:

  1. Head to Settings and select Policies & Schedules.
  2. Click Create New to start building a new policy.
    3. Create new policy in UniFi Access
  3. For Locations, pick Custom and choose the doors this policy will control.
  4. For Users, select Custom. We’ll fill this in later with users synced from Google LDAP.
  5. Want time-based access? Optionally, set up Schedules to specify when the policy applies.
  6. Hit Create to save your shiny new policy.
    7. Configuring a new access policy

Step 2: Create User Groups

Next, let’s group our users and link them to the policy we just made:

  1. Navigate back to Admins & Users and click the Users tab.
  2. Select Manage Groups, then click Create New.
  3. Give your group a clear name—like “Office Staff”—to keep things intuitive.
  4. Under Assignments, click Add Access Policies and pick the policy you created earlier.
  5. Click Create to lock it in.
    6. Creating a new user group with assigned policies

Step 3: Set Up Group Mapping

Now for the fun part—connecting your UniFi Access groups to Google Workspace:

  1. Go to the Identity Endpoint tab.
  2. Click on your Google LDAP directory and head to its settings.
  3. Choose Group Mapping.
  4. Map your existing Google Workspace groups to the UniFi Access groups you just created. This links the groups, automatically applying the attached policies and schedules to users based on their Google group membership.
    5. Configuring group mapping between Google Workspace and UniFi Access

Why This Works

With group mapping in place, you’ve just streamlined access management! Permissions will stay in sync with your Google Workspace directory, updating automatically as your team evolves. It’s a powerful, time-saving feature that keeps your UniFi Access system humming along.

Delegated Authentication Setup

Ready to let users log in with their Google accounts? Here’s how:

  1. In the UniFi Identity Endpoint settings, find and select Advanced Settings.
  2. Turn on Delegated Authentication.
Delegated authentication settings

Once done, you’ll see the synchronized user count and LDAP details in the interface. Users will receive onboarding emails, making their setup experience a breeze.

UniFi Identity Endpoint with Google LDAP synchronized

Managing Users in UniFi Identity

Head to the Users tab to see synchronized users and their groups. Admins can tweak group assignments, update policies, or resend onboarding emails whenever needed.

Managing users in UniFi Identity

We’ve seen firsthand how UniFi Identity Endpoint transforms onboarding and management for our clients—and we’re confident it’ll do the same for you. Need help integrating Ubiquiti UniFi solutions into your organization? We’re here to make it smooth and painless.

Related Services

Read On